Main Vulnerability Database SB2020013130

SB2020013130 - Multiple vulnerabilities in TianoCore edk2

Published: January 31, 2020 Updated: August 8, 2020

Security Bulletin ID SB2020013130

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Physical access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Integer overflow (CVE-ID: CVE-2014-4859)

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

Integer overflow in the Drive Execution Environment (DXE) phase in the Capsule Update feature in the UEFI implementation in EDK2 allows physically proximate attackers to bypass intended access restrictions via crafted data.

2) Integer overflow (CVE-ID: CVE-2014-4860)

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

Multiple integer overflows in the Pre-EFI Initialization (PEI) boot phase in the Capsule Update feature in the UEFI implementation in EDK2 allow physically proximate attackers to bypass intended access restrictions by providing crafted data that is not properly handled during the coalescing phase.

Remediation

Install update from vendor's website.

References

http://www.kb.cert.org/vuls/id/552286